Skip to content

docs(migrations): SAFE-M-39 Prompt Context Isolation - Architecture Control #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ryjen wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

docs(migrations): SAFE-M-39 Prompt Context Isolation - Architecture Control #90

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
141 changes: 141 additions & 0 deletions mitigations/SAFE-M-39/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# SAFE-M-39: Architectural Control – Prompt Context Isolation

## Overview
**Mitigation ID**: SAFE-M-39
**Category**: Architectural Control
**Effectiveness**: High (Prevents metadata from influencing model behavior)
**Implementation Complexity**: Medium
**First Published**: April 2025

## Description
Prompt Context Isolation is an architectural defense that separates tool metadata from user prompts during context assembly. It ensures that descriptive fields—such as `description`, `parameters`, and `examples`—are not directly injected into the model’s prompt in a way that allows them to influence behavior. Instead, metadata is passed through structured, non-natural language channels or embedded in system-only contexts.

In MCP environments, tool metadata is often concatenated with user prompts to help the model understand available tools. This creates a vulnerability: if metadata contains hidden instructions (e.g., via steganography), the model may interpret and execute them. Prompt Context Isolation prevents this by enforcing strict separation between user intent and tool metadata, using system-level context blocks or filtered embeddings. Shadow Tools often rely on prompt contamination to activate hidden behavior. Prompt Context Isolation ensures that even if such tools are registered, their metadata cannot influence model behavior through prompt injection.

## Mitigates
- [SAFE-T1402](../../techniques/SAFE-T1402/README.md): Instruction Steganography
- [SAFE-T1403](../../techniques/SAFE-T1403/README.md): Context Poisoning
- [SAFE-T1401](../../techniques/SAFE-T1401/README.md): Direct Prompt Injection

## Technical Implementation

### Core Principles
1. **Context Segmentation**: Separate metadata from user prompt using system-only context blocks.
2. **Non-Natural Language Encoding**: Pass metadata as structured JSON or embeddings, not plain text.
3. **Prompt Boundary Enforcement**: Prevent metadata from being concatenated with user input.

### Architecture Components
```
+------------------+ +------------------+ +------------------+
| Tool Registry | ---> | Context Isolator | ---> | Prompt Builder |
+------------------+ +------------------+ +------------------+
| | |
| v v
| [Structured Metadata] [Isolated Prompt Context]
v
[LLM Execution Environment]
```

### Prerequisites
- LLM or agent framework that supports system/user role separation
- MCP server with configurable prompt assembly logic

### Implementation Steps
1. **Design Phase**:
- Define prompt roles and boundaries (e.g., system vs user)
- Specify metadata injection rules

2. **Development Phase**:
- Implement context isolator module
- Refactor prompt builder to enforce boundaries

3. **Deployment Phase**:
- Audit existing tools for prompt contamination
- Monitor prompt assembly logs for violations

## Benefits
- **Blocks Metadata Injection**: Prevents hidden instructions from influencing model behavior
- **Improves Prompt Integrity**: Ensures user intent is not contaminated by tool context
- **Supports Multi-Agent Security**: Prevents cross-agent prompt poisoning
- **Mitigates Shadow Tool Influence**: Prevents metadata from contaminating user intent or agent reasoning

## Limitations
- **Compatibility Issues**: May require updates to legacy agents or LLM wrappers
- **Reduced Tool Discoverability**: Isolated metadata may limit model’s ability to reason about tools
- **Implementation Overhead**: Requires architectural changes to prompt assembly pipeline

## Implementation Examples

### Example 1: Role-Based Prompt Assembly
```python
prompt = [
{"role": "system", "content": json.dumps(tool_metadata)},
{"role": "user", "content": user_prompt}
]
```

### Example 2: Configuration Policy
```json
{
"prompt_context_isolation": {
"enabled": true,
"metadata_role": "system",
"user_input_role": "user",
"boundary_enforcement": true
}
}
```

## Testing and Validation
1. **Security Testing**:
- Inject hidden instructions into metadata and verify isolation
- Test prompt boundary enforcement
- Validate against known context poisoning benchmarks

2. **Functional Testing**:
- Confirm tool discoverability remains intact
- Ensure model behavior aligns with user intent
- Measure latency impact

3. **Integration Testing**:
- Validate compatibility with multi-agent workflows
- Confirm context isolation across tool chains

## Deployment Considerations

### Resource Requirements
- **CPU**: Moderate (prompt parsing and role enforcement)
- **Memory**: Low
- **Storage**: No additional requirements
- **Network**: No impact

### Performance Impact
- **Latency**: ~5–10ms per prompt assembly
- **Throughput**: Slight reduction due to context parsing
- **Resource Usage**: Moderate

### Monitoring and Alerting
- Prompt role violations
- Unexpected tool behavior linked to metadata
- Alert on prompt contamination attempts
- Alert on context boundary breaches

## Current Status (2025)
According to industry reports, organizations are adopting this mitigation:
- 42% of MCP vendors now implement prompt context isolation (MCPTox Benchmark, 2025)
- OWASP LLM Top 10 recommends architectural separation of prompt roles

## References
- [Model Context Protocol Specification](https://modelcontextprotocol.io/specification)
- [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
- [Tool Poisoning Attacks – Invariant Labs, 2025](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks)
- [MCPTox Benchmark – Arxiv, 2025](https://arxiv.org/abs/2508.14925)

## Related Mitigations
- [SAFE-M-37](../SAFE-M-37/README.md): Metadata Sanitization – Removes hidden characters before prompt assembly
- [SAFE-M-38](../SAFE-M-38/README.md): Schema Validation – Ensures metadata conforms to safe formats

## Version History
| Version | Date | Changes | Author |
|---------|------|---------|--------|
| 1.0 | 2025-10-25 | Initial documentation | Ryan Jennings |